diff --git a/server/apparmor/apparmor_common.go b/server/apparmor/apparmor_common.go index 6366a66e..76c640b8 100644 --- a/server/apparmor/apparmor_common.go +++ b/server/apparmor/apparmor_common.go @@ -3,10 +3,6 @@ package apparmor const ( // DefaultApparmorProfile is the name of default apparmor profile name. DefaultApparmorProfile = "crio-default" - - // ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile. - ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" - // ProfileRuntimeDefault is he profile specifying the runtime default. ProfileRuntimeDefault = "runtime/default" // ProfileNamePrefix is the prefix for specifying profiles loaded on the node. diff --git a/server/apparmor/apparmor_supported.go b/server/apparmor/apparmor_supported.go index 7e23413b..49360470 100644 --- a/server/apparmor/apparmor_supported.go +++ b/server/apparmor/apparmor_supported.go @@ -34,7 +34,7 @@ type profileData struct { // EnsureDefaultApparmorProfile loads default apparmor profile, if it is not loaded. func EnsureDefaultApparmorProfile() error { - if apparmor.IsEnabled() { + if IsEnabled() { loaded, err := IsLoaded(DefaultApparmorProfile) if err != nil { return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", DefaultApparmorProfile, err) @@ -59,12 +59,6 @@ func IsEnabled() bool { return apparmor.IsEnabled() } -// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from -// pod annotations -func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string { - return annotations[ContainerAnnotationKeyPrefix+containerName] -} - // InstallDefault generates a default profile in a temp directory determined by // os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'. func InstallDefault(name string) error { diff --git a/server/apparmor/apparmor_unsupported.go b/server/apparmor/apparmor_unsupported.go index fbd1d87a..20cd15d2 100644 --- a/server/apparmor/apparmor_unsupported.go +++ b/server/apparmor/apparmor_unsupported.go @@ -11,8 +11,3 @@ func IsEnabled() bool { func EnsureDefaultApparmorProfile() error { return nil } - -// GetProfileNameFromPodAnnotations dose nothing, when build without apparmor build tag. -func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string { - return "" -} diff --git a/server/container_create.go b/server/container_create.go index 0f581c00..d3be04f2 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -740,7 +740,8 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, // set this container's apparmor profile if it is set by sandbox if s.appArmorEnabled && !privileged { - appArmorProfileName := s.getAppArmorProfileName(sb.Annotations(), metadata.Name) + + appArmorProfileName := s.getAppArmorProfileName(containerConfig.GetLinux().GetSecurityContext().GetApparmorProfile()) if appArmorProfileName != "" { // reload default apparmor profile if it is unloaded. if s.appArmorProfile == apparmor.DefaultApparmorProfile { @@ -751,6 +752,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, specgen.SetProcessApparmorProfile(appArmorProfileName) } + } logPath := containerConfig.LogPath @@ -1239,9 +1241,7 @@ func (s *Server) setupSeccomp(specgen *generate.Generator, profile string) error } // getAppArmorProfileName gets the profile name for the given container. -func (s *Server) getAppArmorProfileName(annotations map[string]string, ctrName string) string { - profile := apparmor.GetProfileNameFromPodAnnotations(annotations, ctrName) - +func (s *Server) getAppArmorProfileName(profile string) string { if profile == "" { return "" }